Microsoft integrates OAuth 2.0 in play for Facebook goodness

Microsoft has suckered up to Facebook's social graph API with the implementation of OAuth 2.0 on its Windows Live developer platform.

The company announced plans to hook its next version of Microsoft's Messenger Connect coder system into the open authorisation standard in early May, when its ID expert Kim Cameron quit Redmond.

In effect, Microsoft wants its Windows Live platform to plug more seamlessly into social networks, with Facebook being the clear endgame here.

The dominant social network doesn't offer the same interconnection with, say, Hotmail via its site. Instead, controlled elements of Facebook's social graph simply feed out of Zuckerberg Towers into often less popular landing pages on the web.

"Nearly all Windows 7 PCs come pre-installed with Messenger, Photo Gallery, and the other Windows Live Essentials apps - just connect Facebook, LinkedIn, and other services to get a wide range of rich features like Facebook chat and social feeds in Messenger, photo publishing with people tagging in Photo Gallery, and all your contacts seamlessly available across Windows Live," said Microsoft's Messenger Connect platform messenger Dare Obasanjo.

"And of course, you just have to do this once and your connected services roam with you to Windows Phone, Hotmail, and more."

The OAuth 2.0 standard allows users to type in their credentials once, before being able to share content with other sites and devices.

"Not surprisingly, developers want access to more integration scenarios via more modern standard protocols, in ways that are easier to program against, with a simpler experience for end users of their apps and sites," said Obansanjo.

In other words, the company is now chanting a single sign-on mantra for its online estate.

"This means users don’t have to re-enter their credentials. To use this, all a partner site or application has to do is to ask for the wl.signin scope when requesting user consent, and afterwards, if the user comes to that website when they’re signed in to a Windows Live ID-based site, they will also be signed in to the partner site or application," he said.

"Signing out of the partner website will also sign the user out of other Windows Live websites."

Will short term gain lead to future pain?

However, one of the editors of the original OAuth protocol has previously expressed security concerns about version 2.0 of the open authorisation standard.

"As long as a site offers both an OAuth API and a human web interface (i.e. a website), the overall service will only be as secure as its weakest part - the cookie-based authentication system," wrote Hammer-Lahav on his blog last September.

Cuddle time

"The problem with this argument is not today, but five years from now. When trying to propose a new cookie protocol, developers will make the same argument, only this time pointing the finger at OAuth 2.0 as the weakest link.

"Removing signatures and relying solely on a secure channel solves the immediate problem, and maintain the same existing level of security. But it lacks any kind of forward looking responsibility, and the drive to make the web more secure. It’s a copout."

Meanwhile, Cameron - who left Microsoft's cryptography team last month - has similarly aired concerns about current industry trends on ID.

He has called for an advocate to champion his "user-centric identity" approach, which is about keeping various bits of an individual's online life totally separated.

"[That model] can be much more effective than shotgun splattering of ads or profiling that alienates us and makes us feel like robots are ruling our lives. Lots of people are upset about this," said Cameron in May. He used Microsoft, Google and Facebook as examples of companies pursuing those strategies.

Perhaps worryingly for some privacy activists, that trend doesn't appear to lie simply within the corporate sphere.

As we revealed last week, the UK government's Cabinet Office has been in talks with various social networks about the possibility of allowing British citizens to sign into public services online in an effort to simplify the process, by farming out the logon authentication process to a third party partner such as a bank or, more surprisingly, Facebook. ®